Hacking SCADA and ICS (Part 2)

Continuing from out last post, welcome to part 2 of our series where we'll be covering file fuzzing as it pertains to SCAD and ICS software.

You may be asking yourself why we want to look at file format fuzzing, and the answer is easy to understand.  A majority of the SCADA software I've looked at uses a highly customized and/or proprietary file format and most often, that format is surrounded by parsing routines that are riddled with security holes.  For part two in the series, we will be looking at an old version of IntegraXor by Ecava.  The old version can be downloaded from the exploit database software repository.  If you're interested, newer versions of the software can be downloaded for free from the vendor site if you want to try and find new bugs.

In order to perform the generation of fuzzy files and monitoring of the target process, we'll be using FOE from CERT, which I previously blogged about here.  Once you've got FOE installed and configured, the next thing we need to do is create a template or seed file.  When dealing with proprietary file formats, you can take two approaches.  First, you can reverse engineer the file format and generate files from that template, or you can mutate known good files (also covered in my previous FOE post) and use those as your fuzzy input.  Since this is an introductory series, we'll simply proceed with mutation based fuzzing.

Go ahead and install the .msi of IntegraXor that I linked to previously, I'll wait.  Once you have it installed, open up the program IntegraXor Editor (igpe.exe).  This is the program that we'll use to generate a .igx file, which is the proprietary file format used for IntegraXor project files.  Using the Editor, this process is very straight forward.  Simply open the editor, create a new project, add whatever components/changes you want and save it.  Voila, you have created your first .igx file to fuzz.  If you want, be sure to create multiple igx files for better coverage and make each of them slightly or moderately different to exercise different inputs with FOE.

For FOE, the setup is quick and similar to what was covered in my previous post on FOE.  Your install path will be relative depending on where you chose to put the program, but first, run your project from the command line to make sure that it opens properly when you execute it using the file name as the only argument.

C:\FOE2>C:\Ecava\igpe.exe c:\FOE2\seedfiles\fuzzy.igx

If it launches, you're ready to configure it in FOE, which is pretty simple.  Using your installation path, change the config with the below:

target:
    program: C:%INSTALLPATH%\igpe.exe
    cmdline_template: $PROGRAM $SEEDFILE #note we removed the NUL by default here

And make sure that your igx file(s) are in the proper $SEEDFILES directory...

directories:
    seedfile_dir: seedfiles
    working_dir:  C:\FOE2\fuzzdir
    results_dir:  results

And lastly, start your fuzzing campaign:

C:\FOE2>C:\Python27\python.exe foe2.py -c configs\ecava.yaml

That's all there is to it!

At this point, I recommend that you go outside, take a nap, or simply do something while you let your campaign run.  Give it at least 3 days and see what your results are at the end.  You should come up with something like the below.

fuzz1

Unfortunately for this post, I didn't see any disclosures regarding file parsing vulnerabilities from ICS-CERT or the usual sources, so I won't explore these in today's post any further at the risk of "surprise bugs."

Thanks for reading and be sure to check back for part 3!

  
Read the rest of the Hacking SCADA and ICS Series